Pavol Rusnak via openssh-unix-dev: > Quoting from [1]: > > It really makes no sense to me why credential management is needed by > OpenSSH in the first place. In fact it doesn't even make sense to me why > resident credentials are needed by OpenSSH. Firstly, the private key file > `id_ed25519_sk` contains primarily the FIDO credential, which is nothing > secret and should logically be placed in `id_ed25519_sk.pub` which resides > on the remote server. This way FIDO authenticators wouldn't even need to > support resident credentials to function with OpenSSH. They don't need to support resident credentials. OpenSSH's FIDO support is fundamentally based on U2F aka FIDO1, which doesn't even feature resident keys. The U2F/FIDO key handle is placed in id_ecdsa_sk. That provides a very useful property: If an attacker steals my authenticator, they still cannot log into my accounts because they lack id_ecdsa_sk. Note that U2F was conceived as a second factor in a 2FA scheme. If you allow a login simply with the FIDO credential, you're back to a single factor. By moving the key handle into the SSH private key, OpenSSH splits this into two again: (1) possession of the authenticator and (2) possession of the SSH private key (= FIDO key handle). Any old U2F authenticator can be used with OpenSSH's U2F/FIDO support. You only need FIDO2 for the _additional_ features of ED25519 and resident keys... > I see no justifiable reason why to load resident keys from a > FIDO authenticator to the SSH client computer, which is what `ssh-add -K` > does. The use case for supporting FIDO2 residential keys appears to be that you can use ssh on a machine which does not already have a copy of id_ecdsa_sk, say, in a corporate network. You can use ssh-add -K to download the FIDO key handle from the authenticator. Note that the authenticator will only allow this after the user has entered a PIN or a fingerprint etc. to confirm their identity to the authenticator, so again a simple theft of the authenticator does not provide an attacker with access. IIRC, the principal difference between CTAP 2.0 and 2.1 is that 2.1 allows the deletion of individual keys, whereas 2.0 only provides a reset of the authenticator that deletes all keys. That's an issue when the authenticator's storage capacity has been exhausted, but it has nothing to do with OpenSSH. -- Christian "naddy" Weisgerber naddy@xxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
